How to Change a User's Active Directory Password with PowerShell

Summary: The Scripting Guys discuss using Windows PowerShell to change a user's Active Directory password in this how-to article.

Hey, Scripting Guy! I need to be able to change a user’s password by using Windows PowerShell. In the VBScript days, I had a script that I had essentially copied from the How Can I Change a User’s Password? Scripting Guy post. The problem is that when I attempt something like that using Windows PowerShell, it fails. This is a real problem because we have many calls to the help desk from users who for whatever reason are forgetting their passwords. This has gotten worse since we began to enforce password complexity and shortened the amount of time between password changes. We need to implement a self-serve password solution, but those things are expensive.

-- SD

Hello SD,

Microsoft Scripting Guy Ed Wilson here. It is almost inevitable that when a group of network administrators get together, their stories soon involve clueless users. There may be many reasons for this, but I think one of the main causes is simply the proliferation of computers and the way in which they have touched nearly every aspect of life. Because a user has a computer at home, they tend to think they know all about computers at work. I mean, welders do not get evening phone calls from their co-workers who are trying to weld aluminum with a 3/32 7018 rod and are experiencing predictably poor results, do they?

Yet, I cannot count the number of times when I was a network administrator and I received phone calls at night and on weekends from co-workers who were attempting to perform a similar operation on their home computers. Some user stories have become legendary. The broken retractable “cup holder” on the computer, and the missing “any key” are two such stories that spring to mind. More pedestrian user stories nearly always surround users and passwords. I could spend nearly a week writing such stories from my own experience, but by the end of the week, you would either be bored or in tears. Neither is the desired reader experience for this blog.

SD, luckily the little critter whose picture I took in Chattanooga, TN, is not actually a network user. But he does appear to be ready for winter.

To change a user’s password using Windows PowerShell, you can use the [adsi] type accelerator. To do this, make a connection to the user object by passing the entire distinguished name of the user. This line of the code is shown here (keep in mind that LDAP is all capital letters, and does not refer to a police department in southern California):

$oUser=[adsi]"LDAP://$user"

Next, call the invoke method from the psbase object, and invoke the setpassword method while passing the password. Then you must commit the changes. This is shown here:

The Set-AdUserPwd.ps1 script runs on both Windows PowerShell 2.0 and Windows PowerShell 1.0. It will work on any version of AD. A much better approach, however, is available when using the Active Directory Domain Services (AD DS) cmdlets from Windows Server 2008 R2; there is the Set-ADAccountPassword Windows PowerShell cmdlet. Changing a user’s password does not require you to write a script; you can do it directly in the Windows PowerShell console. As a nice security advantage, the password is masked on the console line and encrypted on the wire.

The first thing that must be accomplished is to import the Active Directory module. It is possible to add this command to your Windows PowerShell profile, and it might even make sense if you routinely work with AD. A recent series of Hey, Scripting Guy! Blog posts talks about the Windows PowerShell profile, and will assist you in deciding what to add and what to leave out. The Import-Module cmdlet is used to import the AD module.

Import-Moduleac*

After the AD module has been imported, the Set-ADAccountPassword cmdlet can be used to reset the password. You do not have to use the complete distinguished name for the user. To reset the password use the –reset switch. Interestingly enough, even though the help files state that not including the old password with the new one will force the user to change the password on logon, in my testing this was not the case. In addition, if you leave out the new password parameter, the cmdlet prompts for it. The basic command is shown here:

SD, that is all there is to changing a user’s Active Directory password via Windows PowerShell. User Management Week will continue tomorrow when we will talk about retrieving the members of a group in Active Directory in alphabetical order.

module "ac*" was not load because no valid module file was found in any module directory

how could i fixed this error???

JonHocking

29 Aug 2013 10:46 AM

@Shadin - you need to have added the RSAT (Remote Server Admin Tools) to your computer - get them from Microsoft, for the OS you need - they vary in install files.

Once RSAT is installed, you need to activate them in Programs and Features, Turn Windows Features on and off. Basically, select the RSAT checkbox, and click OK. At that point, you will be able to import-module ac* with no problems.

BCF

9 Sep 2013 4:03 AM

Thanks scripting guy. Hilarious and helpful at the same time.

John h

10 Mar 2014 12:47 AM

Sorry for being a rookie... I understand scripting however some of the conventions I am unfamiliar with. Here is what I think I understand -- please clarify:

$oUser ~this is a declared variable?$User ~ this is a declared variable that refers to a column in a CSV file?

I found good information to change a User's Active Directory Password with power-shell script . This article explain to change AD password with script and set local user password but i already tried this AD self service password reset tool ( www.selfservicepasswordreset.org
) to do this task. Thanks

Thank you so much for this article. I tried this Set-ADAccountPassword cmdlet from while changed the user password but it showing the showing the error message message then I searched this self service password reset (http://www.lepide.com/active-directory-self-service/)
software which provides to facilitate to reset active directory password and sent email notification to users when their passwords expired, and update their profile information in Active Directory without involving the helpdesk personnel